Insuring the age of AI

One of the most urgent issues facing the insurance industry is whether, and to what extent, coverage will be available for damage caused by artificial intelligence. As discussed in our last Daily Journal column ("Will today's insurance policies cover tomorrow's AI risk?" Sept. 15, 2025), it is not yet clear whether AI-related risks will be covered under current insurance policies or whether new forms of insurance will be needed.

Our prior column reviewed the terms typically found in cyber policies which make no distinction between harm caused by humans and harm caused by autonomous agents. In most cases, coverage applies equally to both. Nor do most cyber policies contain exclusions for losses caused by AI technology. As a general matter, if a claim is otherwise covered under a cyber policy, there is no reason coverage should be lost when the cause or consequence of the claim involves artificial intelligence.

But this optimistic assessment of coverage must be tempered by lessons from the last time the insurance industry faced a technological revolution. Between 1995 and 2005, the explosive growth of the internet transformed society in ways just as profound as AI is expected to do today. Businesses developed entirely new methods of commerce and communication. Vast amounts were invested in digital networks and IT infrastructure, and electronic data became an asset as important as buildings, inventory and equipment.

Lessons from the past

As with the current development of AI, the insurance industry was slow to respond to the internet revolution. By 2005 some insurers were marketing cyber policies, but only a small fraction of policyholders purchased them. Insurers also made modest changes to their traditional policies for commercial general liability (CGL), crime and property insurance to cover certain digital losses. For example, the standard form for CGL insurance was revised to expand coverage for invasion of privacy claims, with the revised terms covering claims for publication "in any manner" of material that violates privacy rights including "through the Internet or similar electronic means of communication." 

It was not until 2008 that insurers saw the first wave of claims for cyber losses -- most of which stemmed from data beaches at U.S. businesses. Corporate policyholders sought coverage for the cost of investigating the breach, restoring lost data and defending customer claims for breach of privacy. While claims submitted under cyber policies were typically paid, policyholders submitting claims under traditional insurance policies encountered strong resistance from insurers.

Under commercial property policies, insurers denied coverage on the grounds that loss or destruction of electronic data did not constitute a "direct physical loss or damage to property." Under CGL policies, insurers came up with a host of reasons why the expanded coverage for invasion of privacy did not apply to claims for disclosure of personal information in a data breach. Insurers took the position that they did not intend to cover data breach losses under traditional insurance policies and, going forward, they added new exclusions to those policies to manifest this intent.   

There followed a period of uncertainty in insurance markets. Many policyholders who thought they had coverage for data breach losses had their claims denied and were forced into costly coverage litigation with mixed results. At the same time, companies had to scramble to procure cyber policies to fill the newly created coverage gaps.

What does this history tell us about the prospects for coverage in the age of artificial intelligence? We offer three takeaways.

The future of AI coverage

First, it may be several years before we have clarity on these issues. There is no consensus among cyber insurers on the treatment of AI claims. Insurers tend to act in response to a crisis, and it is doubtful that insurers will take a clear position on AI coverage until they face the first wave of major claims.

Second, when that wave arrives, it seems likely that insurers will respond the same way they did with the first wave of cyber losses. Why? Because their financial incentives will be the same -- namely, to avoid paying for an emerging category of loss and to generate additional revenue by offering new policies to cover AI risk. We can therefore expect cyber insurers to give heightened scrutiny to AI claims. Insurers may review policy applications to determine whether the company's use of AI tools was adequately disclosed. They may treat harmful actions by autonomous systems as intentional acts that are excluded from coverage. And they will likely argue that cyber policies were not intended to cover AI claims, while adding new exclusions to eliminate coverage going forward.

Third, there will be significant AI losses that do not fall within the scope of coverage for cyber policies. For example, cyber policies cover government regulatory claims for violation of data privacy laws, whereas developers and users of AI technology will be subject to different regulations and different types of claims. More importantly, autonomous agents that interact with their external environment will inevitably result in claims for bodily injury and property damage. Yet most cyber policies exclude coverage for such claims, and the few insurers who offer this coverage are likely to impose restrictions for injuries caused by artificial intelligence.

Predicting the future is always a perilous task. But the above factors suggest that cyber policies -- despite the favorable policy terms discussed in our prior column -- will be an imperfect vehicle for insuring AI risks. Policyholders that rely exclusively on cyber policies for their AI exposures will likely face years of uncertainty, encounter resistance to claims and find themselves with uninsured losses outside the scope of coverage.

Obtaining comprehensive coverage for AI risks will require a major modification to current cyber policies or a new form of insurance focused specifically on AI. Unfortunately, it is not clear when either solution will be widely available in the market. In the meantime, the best approach for policyholders is to identify the risks associated with their AI technology, expand coverage under their cyber policies where possible and stay informed regarding new insurance products designed to protect against AI risks.